Errors regarding digital signature after installing Ivanti Endpoint Security ( EPS ) on Windows 7 or Windows Server 2008 R2
The following errors are seen:
Your computer was unable to start. Startup repair is checking your system for problems
After booting, EPS will not be running correctly as the Startup Repair will have removed the EPS driver (LDSECDRV.SYS). Upon reinstall you may be presented with the following message:
Windows requires a digitally signed driver
If you reboot at this point there will be no LDSECDRV.SYS and you will receive the following error from EPS:
Cannot start the Ivanti Endpoint Security Service. You need administrator rights to start the service.
Windows Event log Security reports an Event ID 6281
Log Name: Security
Date: 2018-09-05 12:39:26
Event ID: 6281
Task Category: System Integrity
Keywords: Audit Failure
Description: Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
File Name: \Device\HarddiskVolume2\Windows\System32\drivers\LDSecDrv.sys
Ivanti now publishes the EPS driver LDSECDRV.SYS using the latest SHA-256 signing algorithm.
Ivanti EPS driver LDSECDRV.SYS is not compatible with Windows 7 or Windows 2008 R2 that do not have the Microsoft Windows update KB3033929 installed:
This update allows Windows 7 and Windows Server 2008 R2 to use the SHA-256 signing technology for drivers. It is recommended to update your computers to the latest patch level prior to installing Endpoint Security. Later operating systems should not experience this issue.
* Ivanti Patch Manager patch ID 3033929_MSU - Microsoft security advisory: Availability of SHA-2 code signing support for Windows 7 and Windows Server 2008 R2: March 10, 2015 (3033929). Microsoft is announcing the reissuance of an update for all supported editions of Windows 7 and Windows Server 2008 R2 to add support for SHA-2 signing and verification functionality. This update supersedes the 2949927 update that was rescinded on October 17, 2014 to address issues that some customers experienced after installation. As with the original release, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT, and Windows RT 8.1 do not require this update because SHA-2 signing and verification functionality is already included in these operating systems. This update is not available for Windows Server 2003, Windows Vista, or Windows Server 2008.